CVE-2017-3756

high-risk

Published 2017-08-18

A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (20)

Thinkpad 10 Ella 2 Bios

Thinkpad 11E Beema Bios

Thinkpad 11E Braswell Bios

Thinkpad 11E Broadwell Bios

Thinkpad 11E Skylake Bios

Thinkpad E450 Bios

Thinkpad E455 Bios

Thinkpad E460 Bios

Thinkpad E560 Bios

Thinkpad E565 Bios

Thinkpad Edge E540 Bios

Thinkpad L450 Bios

Thinkpad L460 Bios

Thinkpad L560 Bios

Thinkpad S1 Yoga 12 Bios

Thinkpad S1 Yoga Non Vpro Bios

Thinkpad S3 S440 Bios

Thinkpad S3 Yoga 14 Bios

Thinkpad S540 Bios

Thinkpad T440S Bios

Affected Vendors

Lenovo

References (4)

Third Party Advisory http://www.securityfocus.com/bid/100305

Vendor Advisory https://support.lenovo.com/us/en/product_security/LEN-15765

Third Party Advisory http://www.securityfocus.com/bid/100305

Vendor Advisory https://support.lenovo.com/us/en/product_security/LEN-15765

/ 100

high-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 33/34 · Critical